OWASP Dallas Chapter

With the era of “vibe coding” taking off, where speed and fluidity drive software delivery, Static Application Security Testing (SAST) faces a rising challenge: managing false positives without slowing the pace. Striking the right balance between catching real vulnerabilities and avoiding wasted time on non-issues is key.

In this session, we’ll explore why false positives occur, the trade-offs that cause them, and how context shapes what’s truly risky—especially when rapid, iterative coding styles are in play.

Through practical, real-world scenarios, we’ll cover:

- The FP/FN trade-off and why chasing zero false positives can introduce other risks.
- The three core drivers of false positives: algorithms, rules, and context.
- How risk appetite and environmental context change the definition of a vulnerability.
- Strategies for prioritizing, triaging, and reducing noise without slowing momentum.

By the end of the session, you’ll have a clearer perspective on why fully eliminating false positives is rarely practical - and how to manage them so SAST remains a trusted safeguard in fast-moving development workflows.

The era of AI-powered attackers is no longer theoretical. Autonomous and semi-autonomous tools are now capable of identifying, exploiting, and adapting to vulnerabilities at a scale and speed that surpass human capacity. This talk explores the implications of a world where AI-driven threats are a permanent part of the landscape.

We begin with a candid look at the current state of application security, where manual processes and outdated risk models struggle to keep pace with modern development. At the same time, AI-generated code is entering environments at an unprecedented rate, often with little to no review, expanding the attack surface in ways few organizations are prepared for.

Compounding the problem is a growing wave of global regulations pushing organizations to demonstrate security readiness, often without providing practical paths to achieve it. Within this context, the traditional approach of prioritizing and fixing only critical and high-severity issues is breaking down. Attackers, especially those leveraging AI, no longer view low or medium vulnerabilities as difficult hurdles. Most vulnerabilities should now be treated as easily exploitable.
This session offers a sharp, forward-looking assessment of the challenges ahead and outlines key shifts that application security teams must make to stay relevant and effective in the age of AI.

Jerry Hoff has decades of experience in technology and security, specializing in application security at an enterprise scale. He holds a Master’s in Computer Science from Washington University in St. Louis and has evaluated the security of applications for some of the largest financial, defense, and commercial organizations in the world.